Available CI/CD variables

These CI/CD variables are specific to the browser-based DAST analyzer. They can be used to customize the behavior of DAST to your requirements. For authentication CI/CD variables, see Authentication.

CI/CD variable Type Example Description
DAST_ACTIVE_SCAN_TIMEOUT Duration string 3h The maximum amount of time to wait for the active scan phase of the scan to complete. Defaults to 3h.
DAST_ACTIVE_SCAN_WORKER_COUNT number 3 The number of active checks to run in parallel. Defaults to 3.
DAST_AUTH_AFTER_LOGIN_ACTIONS string click(on=id:remember-me),click(on=css:.continue) A comma-separated list of actions to be run after login but before login verification. Currently supports “click” actions.
DAST_AUTH_BEFORE_LOGIN_ACTIONS selector css:.user,id:show-login-form A comma-separated list of selectors representing elements to click on prior to entering the DAST_AUTH_USERNAME and DAST_AUTH_PASSWORD into the login form.
DAST_AUTH_CLEAR_INPUT_FIELDS boolean true Disables clearing of username and password fields before attempting manual login. Set to false by default.
DAST_AUTH_COOKIE_NAMES string sessionID,groupName Set to a comma-separated list of cookie names to specify which cookies are used for authentication.
DAST_AUTH_FIRST_SUBMIT_FIELD selector css:input[type=submit] A selector describing the element that is clicked on to submit the username form of a multi-page login process.
DAST_AUTH_PASSWORD_FIELD selector name:password A selector describing the element used to enter the password on the login form.
DAST_AUTH_NEGOTIATE_DELEGATION string *.example.com,example.com,*.EXAMPLE.COM,EXAMPLE.COM Which servers should be allowed for integrated authenticaiton and delegation. This property sets two Chromium policies: AuthServerAllowlist and AuthNegotiateDelegateAllowlist. Introduced in GitLab 17.6.
DAST_AUTH_PASSWORD string P@55w0rd! The password to authenticate to in the website.
DAST_AUTH_REPORT boolean true Set to true to generate a report detailing steps taken during the authentication process. You must also define gl-dast-debug-auth-report.html as a CI job artifact to be able to access the generated report. The report’s content aids when debugging authentication failures. Defaults to false.
DAST_AUTH_SUBMIT_FIELD selector css:input[type=submit] A selector describing the element clicked on to submit the login form for a single-page login form, or the password form for a multi-page login form.
DAST_AUTH_SUCCESS_IF_AT_URL URL https://www.site.com/welcome A URL that is compared to the URL in the browser to determine if authentication has succeeded after the login form is submitted.
DAST_AUTH_SUCCESS_IF_ELEMENT_FOUND selector css:.user-avatar A selector describing an element whose presence is used to determine if authentication has succeeded after the login form is submitted.
DAST_AUTH_SUCCESS_IF_NO_LOGIN_FORM boolean true Verifies successful authentication by checking for the absence of a login form after the login form has been submitted. This success check is enabled by default.
DAST_AUTH_TYPE string basic-digest The authentication type to use.
DAST_AUTH_URL URL https://site.com/login The URL of the page containing the login form on the target website. DAST_AUTH_USERNAME and DAST_AUTH_PASSWORD are submitted with the login form to create an authenticated scan.
DAST_AUTH_USERNAME_FIELD selector name:username A selector describing the element used to enter the username on the login form.
DAST_AUTH_USERNAME string user@email.com The username to authenticate to in the website.
DAST_BROWSER_SCAN boolean true Required to be true to run a browser-based scan.
DAST_CHECKS_TO_EXCLUDE string 552.2,78.1 Comma-separated list of check identifiers to exclude from the scan. For identifiers, see vulnerability checks.
DAST_CHECKS_TO_RUN List of strings 16.1,16.2,16.3 Comma-separated list of check identifiers to use for the scan. For identifiers, see vulnerability checks.
DAST_CRAWL_EXTRACT_ELEMENT_TIMEOUT Duration string 5s The maximum amount of time to allow the browser to extract newly found elements or navigations. Defaults to 5s.
DAST_CRAWL_GRAPH boolean true Set to true to generate an SVG graph of navigation paths visited during crawl phase of the scan. You must also define gl-dast-crawl-graph.svg as a CI job artifact to be able to access the generated graph. Defaults to false.
DAST_CRAWL_MAX_ACTIONS number 10000 The maximum number of actions that the crawler performs. Example actions include selecting a link, or filling a form. Defaults to 10000.
DAST_CRAWL_MAX_DEPTH number 10 The maximum number of chained actions that the crawler takes. For example, Click -> Form Fill -> Click is a depth of three. Defaults to 10.
DAST_CRAWL_SEARCH_ELEMENT_TIMEOUT Duration string 3s The maximum amount of time to allow the browser to search for new elements or user actions. Defaults to 3s.
DAST_CRAWL_TIMEOUT Duration string 5m The maximum amount of time to wait for the crawl phase of the scan to complete. Defaults to 24h.
DAST_CRAWL_WORKER_COUNT number 3 The maximum number of concurrent browser instances to use. For instance runners on GitLab.com, we recommended a maximum of three. Private runners with more resources may benefit from a higher number, but are likely to produce little benefit after five to seven instances. The default value is dynamic, equal to the number of usable logical CPUs.
DAST_FULL_SCAN boolean true Set to true to run both passive and active checks. Default: false
DAST_LOG_BROWSER_OUTPUT boolean true Set to true to log Chromium STDOUT and STDERR.
DAST_LOG_CONFIG List of strings brows:debug,auth:debug A list of modules and their intended logging level for use in the console log.
DAST_LOG_DEVTOOLS_CONFIG string Default:messageAndBody,truncate:2000 Set to log protocol messages between DAST and the Chromium browser.
DAST_LOG_FILE_CONFIG List of strings brows:debug,auth:debug A list of modules and their intended logging level for use in the file log.
DAST_LOG_FILE_PATH string /output/browserker.log Set to the path of the file log. Default is gl-dast-scan.log
DAST_PAGE_DOM_READY_TIMEOUT Duration string 7s The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis after a navigation completes. Defaults to 6s.
DAST_PAGE_DOM_STABLE_WAIT Duration string 200ms Define how long to wait for updates to the DOM before checking a page is stable. Defaults to 500ms.
DAST_PAGE_ELEMENT_READY_TIMEOUT Duration string 600ms The maximum amount of time to wait for an element before determining it is ready for analysis. Defaults to 300ms.
DAST_PAGE_IS_LOADING_ELEMENT selector css:#page-is-loading Selector that when is no longer visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_PAGE_IS_READY_ELEMENT.
DAST_PAGE_IS_READY_ELEMENT selector css:#page-is-ready Selector that when detected as visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_PAGE_IS_LOADING_ELEMENT.
DAST_PAGE_MAX_RESPONSE_SIZE_MB number 15 The maximum size of a HTTP response body. Responses with bodies larger than this are blocked by the browser. Defaults to 10 MB.
DAST_PAGE_READY_AFTER_ACTION_TIMEOUT Duration string 7s The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis. Defaults to 7s.
DAST_PAGE_READY_AFTER_NAVIGATION_TIMEOUT Duration string 15s The maximum amount of time to wait for a browser to navigate from one page to another. Defaults to 15s.
DAST_PASSIVE_SCAN_WORKER_COUNT int 5 Number of workers that passive scan in parallel. Defaults to the number of available CPUs.
DAST_PKCS12_CERTIFICATE_BASE64 string ZGZkZ2p5NGd... The PKCS12 certificate used for sites that require Mutual TLS. Must be encoded as base64 text.
DAST_PKCS12_PASSWORD string password The password of the certificate used in DAST_PKCS12_CERTIFICATE_BASE64. Create sensitive custom CI/CI variables using the GitLab UI.
DAST_REQUEST_ADVERTISE_SCAN boolean true Set to true to add a Via header to every request sent, advertising that the request was sent as part of a GitLab DAST scan. Default: false.
DAST_REQUEST_COOKIES dictionary abtesting_group:3,region:locked A cookie name and value to be added to every request.
DAST_REQUEST_HEADERS string Cache-control:no-cache Set to a comma-separated list of request header names and values.
DAST_SCOPE_ALLOW_HOSTS List of strings site.com,another.com Hostnames included in this variable are considered in scope when crawled. By default the DAST_TARGET_URL hostname is included in the allowed hosts list. Headers set using DAST_REQUEST_HEADERS are added to every request made to these hostnames.
DAST_SCOPE_EXCLUDE_ELEMENTS selector a[href='2.html'],css:.no-follow Comma-separated list of selectors that are ignored when scanning.
DAST_SCOPE_EXCLUDE_HOSTS List of strings site.com,another.com Hostnames included in this variable are considered excluded and connections are forcibly dropped.
DAST_SCOPE_EXCLUDE_URLS URLs https://site.com/.*/sign-out The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, .* matches an arbitrary character sequence.
DAST_SCOPE_IGNORE_HOSTS List of strings site.com,another.com Hostnames included in this variable are accessed, not attacked, and not reported against.
DAST_TARGET_CHECK_SKIP boolean true Set to true to prevent DAST from checking that the target is available before scanning. Default: false.
DAST_TARGET_CHECK_TIMEOUT number 60 Time limit in seconds to wait for target availability. Default: 60s.
DAST_TARGET_PATHS_FILE string /builds/project/urls.txt Ensures that the provided paths are always scanned. Set to a file path containing a list of URL paths relative to DAST_TARGET_URL. The file must be plain text with one path per line.
DAST_TARGET_PATHS string /page1.html,/category1/page3.html Ensures that the provided paths are always scanned. Set to a comma-separated list of URL paths relative to DAST_TARGET_URL.
DAST_TARGET_URL URL https://site.com The URL of the website to scan.
DAST_USE_CACHE boolean true Set to false to disable caching. Default: true. Note: Disabling cache can cause OOM events or DAST job timeouts.
SECURE_ANALYZERS_PREFIX URL registry.organization.com Set the Docker registry base address from which to download the analyzer.